[html5] r4076 - [ac] (0) Disallow ` in unquoted attribute values.

whatwg at whatwg.org whatwg at whatwg.org
Sun Oct 4 20:31:43 PDT 2009 

Author: ianh
Date: 2009-10-04 20:31:43 -0700 (Sun, 04 Oct 2009)
New Revision: 4076

Modified:
   index
   source
Log:
[ac] (0) Disallow ` in unquoted attribute values.

Modified: index
===================================================================
--- index	2009-10-05 02:25:48 UTC (rev 4075)
+++ index	2009-10-05 03:31:43 UTC (rev 4076)
@@ -59367,10 +59367,40 @@
     characters</a>, any U+0022 QUOTATION MARK (<code>"</code>)
     characters, U+0027 APOSTROPHE (<code>'</code>) characters,
     U+003D EQUALS SIGN (<code>=</code>) characters, U+003C LESS-THAN
-    SIGN (<code><</code>) characters, or U+003E GREATER-THAN SIGN
-    (<code>></code>) characters, and must not be the empty
-    string.</p>
+    SIGN (<code><</code>) characters, U+003E GREATER-THAN SIGN
+    (<code>></code>) characters, or U+0060 GRAVE ACCENT (`)
+    characters, and must not be the empty string.</p>
 
+    <!-- The ` character is in this list on a temporary basis, waiting
+         for IE to fix it's parsing bug whereby it treats ` as an
+         attribute value delimiter. Otherwise, escaping software that
+         tries to be clever and not use quotes when it doesn't need to
+         could be tricked by an attacker.
+
+         Posit a site that allows the user to input text that is used
+         verbatim in two attributes, such that the user can set the
+         first attribute's value to:
+
+            `
+
+         ...and the second to:
+
+            ` onload='...payload...' end=x
+
+         ...with the assumption that the site is going to not quote
+         the first one, and quote the second one with double quotes:
+
+            <body title=` class="` onload='...payload...' end=x">
+
+         In IE, this is treated as:
+
+            <body title=' class="'
+                  onload='...payload...'
+                  end='x"'>
+
+    -->
+
+
     <div class=example>
 
      <p>In the following example, the <code title=attr-input-value><a href=#attr-input-value>value</a></code> attribute is given
@@ -61481,6 +61511,7 @@
 
    <dt>U+003C LESS-THAN SIGN (<)</dt>
    <dt>U+003D EQUALS SIGN (=)</dt>
+   <dt>U+0060 GRAVE ACCENT (`)</dt>
    <dd><a href=#parse-error>Parse error</a>. Treat it as per the "anything else"
    entry below.</dd>
 
@@ -61561,6 +61592,7 @@
    <dt>U+0027 APOSTROPHE (')</dt>
    <dt>U+003C LESS-THAN SIGN (<)</dt>
    <dt>U+003D EQUALS SIGN (=)</dt>
+   <dt>U+0060 GRAVE ACCENT (`)</dt>
    <dd><a href=#parse-error>Parse error</a>. Treat it as per the "anything else"
    entry below.</dd>
 

Modified: source
===================================================================
--- source	2009-10-05 02:25:48 UTC (rev 4075)
+++ source	2009-10-05 03:31:43 UTC (rev 4076)
@@ -76761,10 +76761,40 @@
     characters</span>, any U+0022 QUOTATION MARK (<code>&#x22;</code>)
     characters, U+0027 APOSTROPHE (<code>&#x27;</code>) characters,
     U+003D EQUALS SIGN (<code>=</code>) characters, U+003C LESS-THAN
-    SIGN (<code><</code>) characters, or U+003E GREATER-THAN SIGN
-    (<code>></code>) characters, and must not be the empty
-    string.</p>
+    SIGN (<code><</code>) characters, U+003E GREATER-THAN SIGN
+    (<code>></code>) characters, or U+0060 GRAVE ACCENT (`)
+    characters, and must not be the empty string.</p>
 
+    <!-- The ` character is in this list on a temporary basis, waiting
+         for IE to fix it's parsing bug whereby it treats ` as an
+         attribute value delimiter. Otherwise, escaping software that
+         tries to be clever and not use quotes when it doesn't need to
+         could be tricked by an attacker.
+
+         Posit a site that allows the user to input text that is used
+         verbatim in two attributes, such that the user can set the
+         first attribute's value to:
+
+            `
+
+         ...and the second to:
+
+            ` onload='...payload...' end=x
+
+         ...with the assumption that the site is going to not quote
+         the first one, and quote the second one with double quotes:
+
+            <body title=` class="` onload='...payload...' end=x">
+
+         In IE, this is treated as:
+
+            <body title=' class="'
+                  onload='...payload...'
+                  end='x"'>
+
+    -->
+
+
     <div class="example">
 
      <p>In the following example, the <code
@@ -79153,6 +79183,7 @@
 
    <dt>U+003C LESS-THAN SIGN (<)</dt>
    <dt>U+003D EQUALS SIGN (=)</dt>
+   <dt>U+0060 GRAVE ACCENT (`)</dt>
    <dd><span>Parse error</span>. Treat it as per the "anything else"
    entry below.</dd>
 
@@ -79248,6 +79279,7 @@
    <dt>U+0027 APOSTROPHE (')</dt>
    <dt>U+003C LESS-THAN SIGN (<)</dt>
    <dt>U+003D EQUALS SIGN (=)</dt>
+   <dt>U+0060 GRAVE ACCENT (`)</dt>
    <dd><span>Parse error</span>. Treat it as per the "anything else"
    entry below.</dd>

More information about the Commit-Watchers mailing list